A system is described for controlling access to resources using an object model. Users can specify use cases for accessing resources. The user may be granted access if the user satisfies qualifications required for accessing the resource, selected a use case permissible for accessing the resource, and satisfies qualifications required for the use case. Use cases, qualifications, resources, and/or links between them can be implemented using an object model. The system can be used in addition to authentication and authorization.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A computer system for managing access to computer resources, the computer system comprising: one or more computer readable storage devices storing a plurality of computer readable instructions; and one or more processors configured to execute the plurality of computer readable instructions to cause the computer system to perform operations comprising: receiving, from a first user, a selection of a first purpose, wherein the first purpose is indicated by a first use case object; and in response to receiving the receiving the selection of the first purpose: determining a first plurality of resource objects linked to the first use case object; determining authorizations of the first user for a first plurality of computer resources indicated by the first plurality of resource objects; determining that qualifications of the first user satisfy a first qualification of a first qualification object that is linked to the first use case object; and based at least in part on determining that the qualifications of the first user satisfy the first qualification, and further based at least in part on the determined authorizations of the first user for the first plurality of computer resources, providing the first user with access to the first plurality of computer resources indicated by the first plurality of resource objects.
2. The computer system of claim 1 , wherein the first plurality of computer resources include at least one of: a file, a folder, a database, a memory, a processor, a drive, a storage device, a computer, a laptop, or a phone.
3. The computer system of claim 1 , wherein the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising: receiving an authentication credential including a username and password; and authenticating the first user based on the authentication credential as having an identity indicated by a first user object.
4. The computer system of claim 1 , wherein: the one or more computer readable storage devices are further configured to store: a first user object indicating an identity of the first user; a second use case object indicating a second purpose, wherein the first user object is not linked to the second use case object; and a second resource object indicating a second computer resource, the second resource object linked with at least the second use case object; and the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising: determining that the first user object is not linked to the second use case object; and denying access to the second computer resource based at least in part on the determination that the first user has object is not linked to the second use case object.
5. The computer system of claim 1 , wherein: the one or more computer readable storage devices are further configured to store: a first user object indicating an identity of the first user; a second use case object indicating a second purpose, wherein the first user object is linked to the second use case object; and a second qualification object specifying a second qualification, wherein the second qualification object is linked to the second use case object, and wherein qualifications of the first user do not include the second qualification; and a second resource object indicating a second computer resource, the second resource object linked with at least the second use case object; and the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising: determining that the qualifications of the first user do not include the second qualification; and denying the first user from access to the second computer resource based at least in part on the determination that the qualifications of the first user do not include the second qualification.
6. The computer system of claim 1 , wherein: the one or more computer readable storage devices are further configured to store: a first user object indicating an identity of the first user; a second qualification object specifying a second qualification, wherein the first user object is not linked to the second qualification object; and a second resource object indicating a second computer resource, the second resource object linked with at least the second qualification object; and the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising: authenticating the first user based on an authentication credential as a person indicated by the first user object; determining that qualifications of the first user do not satisfy the second qualification; and denying access to the second computer resource based at least in part on the determination that the qualifications of the first user do not satisfy the second qualification.
7. The computer system of claim 6 , wherein the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising: transmitting data indicating how to obtain the second qualification.
8. The computer system of claim 7 , wherein the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising: receiving an indication that the first user obtained the second qualification; and creating a link between the first user object and the second qualification object to indicate that the qualifications of the first user satisfies the second qualification.
9. The computer system of claim 1 , wherein determining the authorizations of the first user for the first plurality of computer resources indicated by the first plurality of resource objects includes: determining that the first user has at least one of a read authorization, a write authorization, or a modify authorization for at least one of the first plurality of computer resources.
10. The computer system of claim 1 , wherein the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising: logging, in an audit log on the one or more computer readable storage devices, an entry for an access to a first computer resource, of the first plurality of computer resource, by the first user, wherein the entry includes at least two of: a time stamp for the access; an identity of the first user; an identity of the first computer resource; the first purpose indicated by first use case object; the qualifications of the first user; or qualifications required for accessing the first computer resource, the qualifications including the first qualification.
11. The computer system of claim 10 , wherein the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising: receive log filter criteria; filter the audit log according to the log filter criteria; and generate a report based on the audit log and the log filter criteria, the report including at least one visualization of data in the audit log.
12. The computer system of claim 1 , wherein the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising: receiving a selection, from the first user, of a second purpose indicated by a second use case object; and based at least in part on receiving the selection of the second purpose from the first user, revoking the access to a first computer resource of the first plurality of computer resources.
13. The computer system of claim 1 , wherein the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising: receiving a selection, from the first user, of a second purpose indicated by a second use case object, wherein a first resource object of the first plurality of resource objects is linked with the second use case object; and determining that qualifications of the first user satisfy second qualifications of a second qualification object linked to the second use case object; and based at least in part on the determination that the qualifications of the first user satisfy the second qualifications of the second qualification object linked to the second use case object, providing the first user with access to the first computer resource.
14. The computer system of claim 1 , wherein the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising: receiving a selection, from the first user, of a second purpose indicated by a second use case object, wherein a first resource object of the first plurality of resource objects is linked with the second use case object; and determining that qualifications of the first user do not satisfy second qualifications of a second qualification object linked to the second use case object; and based at least in part on the determination that the qualifications of the first user do not satisfy the second qualifications of the second qualification object linked to the second use case object, revoking, from the first user, the access to the first computer resource.
15. The computer system of claim 1 , wherein the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising: based on inputs received from an administrator, changing at least one link between two of: a user object, a resource object, a qualification object, or a use case object.
16. The computer system of claim 1 , wherein: a tag object is linked to a first resource object of the first plurality of resource objects; a second qualification object is linked to the tag object, wherein the second qualifications object specifies a second qualification; and qualifications of the first user satisfy the second qualification of the second qualifications object that is linked to the tag object.
17. The computer system of claim 1 , wherein: a tag object is linked to the first use case object; a second qualification object is linked to the tag object, wherein the second qualification object specifies a second qualification; and qualifications of the first user satisfy the second qualification of the second qualification object that is linked to the tag object.
18. The computer system of claim 1 , wherein the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising: based on inputs received from an administrator, linking a second qualification object to a tag object; and determining whether or not to provide users with access to resources indicated by resource objects that are linked to the tag object based at least in part on qualifications indicated by the second qualification object.
19. The computer system of claim 1 , wherein the one or more processors are configured to execute the plurality of computer readable instructions to cause the computer system to perform operations further comprising: based on inputs received from an administrator, linking a second qualification object to a tag object, wherein the tag object is linked to the first use case object; and determining that qualifications of the first user satisfy a second qualification specified by the second qualifications object that is associated with the first use case object; and wherein the first user is provided the access to a first computer resource of the first plurality of resource objects based at least in part on the determination that the qualifications of the first user satisfy the second qualification.
20. The computer system of claim 1 , wherein the one or more computer readable storage devices further store: the first use case object indicating the first purpose; the first plurality of resource objects indicating the first plurality of computer resources; and the first qualification object indicating the first qualification.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
February 28, 2019
December 8, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.